U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for NVD Communications and Status Updates Page
Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2026-48501 - GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. Th... read CVE-2026-48501
    Published: May 29, 2026; 12:16:31 PM -0400

    V3.1: 9.1 CRITICAL

  • CVE-2026-40425 - The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password.
    Published: May 29, 2026; 3:16:23 PM -0400

    V3.1: 4.9 MEDIUM

  • CVE-2026-45286 - Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggest... read CVE-2026-45286
    Published: June 01, 2026; 3:16:50 PM -0400

  • CVE-2026-45285 - Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email ad... read CVE-2026-45285
    Published: June 01, 2026; 3:16:50 PM -0400

  • CVE-2026-45284 - Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has be... read CVE-2026-45284
    Published: June 01, 2026; 3:16:50 PM -0400

    V3.1: 8.8 HIGH

  • CVE-2026-37232 - An issue was discovered in OpenAirInterface5G 2.4.0 (nr-softmodem) in the E2SM-KPM RAN Function's PRB utilization metric calculation. The functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c... read CVE-2026-37232
    Published: June 01, 2026; 3:16:33 PM -0400

  • CVE-2026-30963 - Capsule is a multi-tenancy and policy-based framework for Kubernetes. To defend against namespace hijacking achieved through update/patch operations on namespaces, Capsule uses a webhook to validate update requests targeting namespaces. However, i... read CVE-2026-30963
    Published: June 01, 2026; 3:16:22 PM -0400

    V3.1: 2.7 LOW

  • CVE-2026-0072 - In addInputMethodListener of com.android.server.inputmethod.InputMethodManagerService, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not ne... read CVE-2026-0072
    Published: June 01, 2026; 3:16:19 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2026-45149 - The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence gene... read CVE-2026-45149
    Published: May 29, 2026; 4:16:25 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-37978 - A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role ... read CVE-2026-37978
    Published: May 19, 2026; 8:16:17 AM -0400

  • CVE-2026-9308 - Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitra... read CVE-2026-9308
    Published: June 01, 2026; 9:16:33 AM -0400

  • CVE-2026-9309 - Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal p... read CVE-2026-9309
    Published: June 01, 2026; 9:16:33 AM -0400

  • CVE-2026-10270 - A vulnerability was detected in D-Link DI-7001 MINI up to 19.09.19A1. Impacted is the function sprintf of the file /httpd_debug.asp of the component API. The manipulation of the argument Time results in stack-based buffer overflow. The attack may ... read CVE-2026-10270
    Published: June 01, 2026; 1:16:43 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2026-45247 - Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarm... read CVE-2026-45247
    Published: May 26, 2026; 11:16:39 AM -0400

  • CVE-2026-37981 - A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally ide... read CVE-2026-37981
    Published: May 19, 2026; 8:16:18 AM -0400

  • CVE-2026-37982 - A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker ... read CVE-2026-37982
    Published: May 19, 2026; 8:16:18 AM -0400

  • CVE-2026-4630 - A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belon... read CVE-2026-4630
    Published: May 19, 2026; 8:16:19 AM -0400

  • CVE-2026-7307 - A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading ... read CVE-2026-7307
    Published: May 19, 2026; 8:16:19 AM -0400

  • CVE-2026-7504 - A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive informati... read CVE-2026-7504
    Published: May 19, 2026; 8:16:19 AM -0400

  • CVE-2026-44211 - Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. In versions 2.13.0 and prior, there is a cross-origin WebSocket hijack vulnerability in Cline Kanban servers. At time of publication, there are no publicly available p... read CVE-2026-44211
    Published: June 01, 2026; 1:17:07 PM -0400

Created September 20, 2022 , Updated August 27, 2024